|
|
Microsoft IE强迫脚本代码执行漏洞
发布时间:2002-02-18
更新时间:2002-02-18
严重程度:中
威胁程度:服务器信息泄露
错误类型:输入验证错误
利用方式:服务器模式
BUGTRAQ ID:4082
受影响系统Microsoft Internet Explorer 5.5SP2
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0SP3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0SP6
- Microsoft Windows NT 4.0SP6a
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Terminal Server 4.0
Microsoft Internet Explorer 5.5SP1
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0SP3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0SP6
- Microsoft Windows NT 4.0SP6a
Microsoft Internet Explorer 5.5
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0SP3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0SP6
- Microsoft Windows NT 4.0SP6a
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0SP6a 详细描述
Microsoft Internet Explorer 可以配置成不执行WEB页上嵌入的脚本代码,
不过存在一个漏洞可以导致IE允许在这个安全设置情况下的强迫执行脚本代码。
MSIE在页面初始装载的时候进行安全检查,任意脚本代码在如上设置下被探测到
见不被执行,MSIE没有检查所有事件句柄,如果嵌入到WEB页中作为异步事件句柄
这样可造成脚本代码仍旧被执行。
'Active Scripting' 的'Disable'标志将不会阻止脚本代码执行。
测试代码
见描述
解决方案
下载如下补丁程序:
Microsoft Internet Explorer 5.5SP2:
Microsoft Patch q316059_IE 5.5SP2
http://download.microsoft.com/download/ie55sp2/secpac25/5.5_sp2/WIN98Me/EN-US/q316059.exe
Microsoft Internet Explorer 5.5SP1:
Microsoft Patch q316059_IE 5.5SP1
http://download.microsoft.com/download/ie55sp1/secpac25/5.5_sp1/WIN98Me/EN-US/q316059.exe
Microsoft Internet Explorer 5.5:
Microsoft Internet Explorer 6.0:
Microsoft Patch q316059_IE6
http://download.microsoft.com/download/IE60/secpac25/6/W98NT42KMeXP/EN-US/q316059.exe
相关信息
参考:http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
|
